Details
-
Bug
-
Status: Open
-
Blocker
-
Resolution: Unresolved
-
2.1.0
-
None
-
None
-
Important
Description
we are working on apache atlas code and started deploying over https://github.com/apache/atlas/tree/release-2.1.0-rc3
Upon scanning using twistlock, we found 180+ vulnerability.
Out of these, Jackson-databind and netty_netty-all are the most occurring ones.
So, we tried upgrading the versions, but integration tests in atlas-webapp started failing saying "org.eclise.jetty, utils: Multi exception".
The same thing is happening while upgrading versions of any other dependencies in the atlas module. The application breaks for any other dependency which we are trying to upgrade. for example, Hadoop_hdfs uses Jackson-databind as a transitive dependency, hence I am unable to update version.
PFA of dependency check for the project.
I do not see any open issue on the Github channel too.
Have you experienced any such scenario while upgrading earlier?
Is there a way for me to move ahead to remove vulnerabilities in the current version?
The atlas server distribution should be using the latest version of the dependencies having no or fewer CVEs.
Attachments
Attachments
Issue Links
- relates to
-
ATLAS-4000 update Jetty version to 9.4.31
- Resolved
-
ATLAS-4046 Use Jetty BOM to simplify dependency management
- Patch Available